[apparmor] [PATCH 3/4] Update permission mapping for changes made to the upstream kernel patch.

Steve Beattie steve at nxnw.org
Thu Mar 15 19:36:37 UTC 2012 

On Thu, Mar 15, 2012 at 09:36:27AM -0700, John Johansen wrote:
> The changes are around how user data is handled.
> 
> 1. permissions are mapped before data is matched
> 2. If data is to be mapped a AA_CONT_MATCH flag is set in the permissions
>    which allows data matching to continue.
> 3. If data auditing is to occur the AA_AUDIT_MNT_DATA flag is set
> 
> This allows better control over matching and auditing of data which can
> be binary and should not be matched or audited
> 
> Signed-off-by: John Johansen <john.johansen at canonical.com>
> ---
>  parser/mount.h        |    6 +++-
>  parser/parser_regex.c |   56 ++++++++++++++++++++++++++++++++++++++++++-------
>  2 files changed, 52 insertions(+), 10 deletions(-)
> 
> diff --git a/parser/mount.h b/parser/mount.h
> index 8a102ed..16a2dc3 100644
> --- a/parser/mount.h
> +++ b/parser/mount.h
> @@ -103,8 +103,10 @@
>  #define AA_MAY_PIVOTROOT 1
>  #define AA_MAY_MOUNT 2
>  #define AA_MAY_UMOUNT 4
> -#define AA_DUMMY_REMOUNT 32	/* dummy perm for remount rule - is remapped
> -				 * to a mount option*/
> +#define AA_AUDIT_MNT_DATA 0x40
> +#define AA_MATCH_CONT 0x40

Are these two supposed to have the same value?

> +#define AA_DUMMY_REMOUNT 0x40000000	/* dummy perm for remount rule - is
> +					 * remapped to a mount option*/
>  
>  
>  struct mnt_entry {
> diff --git a/parser/parser_regex.c b/parser/parser_regex.c
> index 0e6e449..8c34799 100644
> --- a/parser/parser_regex.c
> +++ b/parser/parser_regex.c
> @@ -784,6 +784,7 @@ static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry)
>  
>  	if ((entry->allow & AA_MAY_MOUNT) && (entry->flags & MS_REMOUNT)
>  	    && !entry->device && !entry->dev_type) {
> +		int allow;
>  		/* remount can't be conditional on device and type */
>  		p = mntbuf;
>  		/* rule class single byte header */
> @@ -816,11 +817,31 @@ static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry)
>  		vec[3] = flagsbuf;
>  		if (!build_mnt_opts(optsbuf, PATH_MAX, entry->opts))
>  			goto fail;
> -		vec[4] = optsbuf;
> -		if (!aare_add_rule_vec(dfarules, entry->deny, entry->allow,
> -				       entry->audit, 5, vec, dfaflags))
> +
> +		if (entry->opts)
> +			allow = AA_MATCH_CONT;
> +		else
> +			allow = entry->allow;
> +
> +		/* rule for match without required data || data MATCH_CONT */
> +		if (!aare_add_rule_vec(dfarules, entry->deny, allow,
> +				       entry->audit | AA_AUDIT_MNT_DATA, 4,
> +				       vec, dfaflags))
>  			goto fail;
>  		count++;
> +
> +		if (entry->opts) {
> +			/* rule with data match required */
> +			if (!build_mnt_opts(optsbuf, PATH_MAX, entry->opts))
> +				goto fail;
> +			vec[4] = optsbuf;
> +			if (!aare_add_rule_vec(dfarules, entry->deny,
> +					       entry->allow,
> +					       entry->audit | AA_AUDIT_MNT_DATA,
> +					       5, vec, dfaflags))
> +				goto fail;
> +			count++;
> +		}
>  	}
>  	if ((entry->allow & AA_MAY_MOUNT) && (entry->flags & MS_BIND)
>  	    && !entry->dev_type && !entry->opts) {
> @@ -919,6 +940,7 @@ static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry)
>  	}
>  	if ((entry->allow & AA_MAY_MOUNT) &&
>  	    (entry->flags | entry->inv_flags) & ~MS_CMDS) {
> +		int allow;
>  		/* generic mount if flags are set that are not covered by
>  		 * above commands
>  		 */
> @@ -944,13 +966,31 @@ static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry)
>  		if (!build_mnt_flags(flagsbuf, PATH_MAX, flags, inv_flags))
>  			goto fail;
>  		vec[3] = flagsbuf;
> -		if (!build_mnt_opts(optsbuf, PATH_MAX, entry->opts))
> -			goto fail;
> -		vec[4] = optsbuf;
> -		if (!aare_add_rule_vec(dfarules, entry->deny, entry->allow,
> -				       entry->audit, 5, vec, dfaflags))
> +
> +		if (entry->opts)
> +			allow = AA_MATCH_CONT;
> +		else
> +			allow = entry->allow;
> +
> +		/* rule for match without required data || data MATCH_CONT */
> +		if (!aare_add_rule_vec(dfarules, entry->deny, allow,
> +				       entry->audit | AA_AUDIT_MNT_DATA, 4,
> +				       vec, dfaflags))
>  			goto fail;
>  		count++;
> +
> +		if (entry->opts) {
> +			/* rule with data match required */
> +			if (!build_mnt_opts(optsbuf, PATH_MAX, entry->opts))
> +				goto fail;
> +			vec[4] = optsbuf;
> +			if (!aare_add_rule_vec(dfarules, entry->deny,
> +					       entry->allow,
> +					       entry->audit | AA_AUDIT_MNT_DATA,
> +					       5, vec, dfaflags))
> +				goto fail;
> +			count++;
> +		}
>  	}
>  	if (entry->allow & AA_MAY_UMOUNT) {
>  		p = mntbuf;
> -- 
> 1.7.9.1
> 
> 
> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20120315/9078f610/attachment.pgp>

More information about the AppArmor mailing list